Method for verifying an application program in a failsafe programmable logic controller, and programmable logic controller for performing the method

ABSTRACT

A method and a programmable logic controller (SPS) for verifying an application program in a failsafe programmable logic controller, wherein a signature (desired value) is generated using program modules or a complete application program when creating a program, and a copy of the signature is stored in the programmable logic controller and in an external component, respectively. Before the safety-oriented application program is started, the copy of the signature stored by the programmable logic controller is transmitted to the external component and is compared with the copy in the external component. In a further comparison, a signature (actual value) is generated using the content of the main memory of the programmable logic controller and using the actually loaded application program and is then compared with the local copy of the desired value of the signature. Starting of the actual application program is enabled only when both comparisons are positive.

BACKGROUND OF THE INVENTION

1. Field of the Invention

The invention relates to a method for verifying an application programin a failsafe programmable logic controller and to a programmable logiccontroller.

2. Description of the Related Art

Programmable logic controllers are used in all areas of automationtechnology. Increased demands are imposed on operational safety in thoseapplications in which failure of the programmable logic controller wouldhave serious consequences, such as damage to machines and systems oreven personal injuries. The programmable logic controllers used in suchscenarios are provided, for this purpose, with measures that lead toincreased failure safety or operational safety, such as by a redundantdesign or better error detection. Such programmable logic controllersare also referred to as “safety-oriented”, “failsafe”, “fault-tolerant”,etc. Criteria for the required functional safety are also laid down innumerous standards, for example, in the European standard EN 61508.

For the failsafe “safety-oriented” programmable logic controllers, auser, for example, must be able to reliably check that the correctsafety program has been loaded into the controller, i.e., it must bepossible to check that the application program which has been loadedinto the main memory of the programmable controller is that programwhich is intended for the specific task and is not, for instance,another application program or an application program with the wrongversion number (version). Here, it must also be ensured that not onlythe “correct” application program is or has been loaded into the mainmemory but also that the program is executed and not, for instance,programs or program modules (functional modules) of another applicationprogram which was previously executed, for example. The situation maythus arise in which a complete “incorrect” or obsolete applicationprogram is executed or else only an individual functional module from apreviously executed application program is left over and is thenexecuted in an unwanted manner. The situation may likewise arise inwhich individual functional modules have been erased or damaged, withthe result that the present application program is incomplete orunusable.

In order to exclude such errors, different procedures are customary when“loading” the failsafe programmable logic controllers. It is thusensured, on the one hand, that a load memory, i.e., a memory card, ahard disk or another mass memory of the programmable logic controller,for example, contains the “correct” application program and thus the“correct” functional modules or program modules by virtue of theprogrammable logic controller determining a program identification ofthe application program or the program modules or functional modules inthe load memory. This means that, for example, the function names andthe respective version number (version) and possibly also the order(arrangement) of these “routines” in the load memory are determined asthe program identification. This information is transmitted to anexternal component, usually the creation system (“engineering system”),and is compared there with a desired value that was determined andstored when creating the application program. In the event of a positivecomparison, a confirmation message can be transmitted from the externalcomponent to the programmable logic controller, as a result of which theexecution of the application program is ultimately enabled. Thisprocedure ensures that the correct application program with all of itsassociated functional modules and program modules is present in the loadmemory, to be precise also in the correct order and in the correctversion number (version).

Nevertheless, the situation may occur in which parts (fragments) ofanother application program are still present in the main memory of theprogrammable logic controller after the application program determinedin this manner has been loaded and may thus be executed. As a result,loading regulations must be complied with, i.e., say measures must betaken that ensure program fragments or the like are removed from themain memory before the “correct” application program is loaded. This maymean, for example, or that the programmable logic controller is “reset”,that the entire main memory is filled with standard values (for example,logic “0” or logic “1” in every memory cell).

In particular, heeding the prescribed loading regulations constitutes amounting problem in practice, because these loading regulations differin different programmable logic controllers (“target systems”,“targets”) used, sometimes to a very considerable extent. This meansthat, for example, a simple programmable logic controller havingproprietary hardware, which has only a memory card as the load memoryand only a contiguous main memory, is loaded and started using differentloading regulations from those for a PC-based system, for example, inwhich the programmable logic controller is operated in a real-timeoperating system in a parallel manner to a Windows-oriented operatingsystem (for example, Microsoft Windows). Although it is ensured that the“correct” application program has actually been loaded into the mainmemory and there are additionally no other program parts or the like inthe main memory when the respectively valid loading regulations arecomplied with, errors can easily occur because of the different loadingregulations for different systems, which errors are not detected or areoften detected only with difficulty and result in the proper state notnecessarily having been reached.

Another disadvantage is that, in addition to the necessary knowledge ofthe loading regulations and the heeding of the latter, accurateknowledge or analysis of the respective programmable logic controllerand its memory structures is also necessary.

SUMMARY OF THE INVENTION

It is therefore an object of the present invention to simplify theloading process in safety-oriented programmable logic controllers.

It is also an object of the present invention to detect erroneouscontent of the main memory of the programmable logic controller, whichcontent results from erroneous performance of a loading procedure(loading regulations), for example.

These and other objects and advantages are achieved in accordance withthe present invention by a method and a programmable logic controller inwhich the application program in the load memory is not checked, or notonly the application program in the load memory is checked, for itscorrespondence to the desired state but the content of the main memoryis checked for correspondence to the desired state (desired value) afterthe loading process, with the result that undesirable states which aroseas a result of the loading regulations not being followed or as a resultof errors when applying the loading regulations are reliably detected.Another concept of the present invention is that this check and thus thecomparison between the actual value and a desired value is performedusing the affected programmable logic controller itself.

In accordance with the invention, the method verifies an applicationprogram in a safety-oriented programmable logic controller, where anapplication program consisting of a number of program modules istransmitted from a load memory to a main memory. Here, a signature isformed, as a desired value, using a plurality of the program moduleswhen creating the application program, where a first copy of thissignature is transmitted to the failsafe programmable logic controllerand is stored in the failsafe programmable logic controller. A secondcopy of this signature is stored in an external component. At leastafter the application program and the first copy of the signature havebeen transmitted to the failsafe programmable logic controller, thefirst copy of the signature is transmitted to the external component(“read back”) and is compared with the second copy of the signature by asecond comparison. Furthermore, a second signature is determined, as anactual value, from the application program in the main memory, or from aplurality of the program modules transmitted to the main memory, by amanagement entity of the failsafe programmable logic controller, afterwhich this second signature which has been determined is compared withthe first copy of the signature by a first comparison that is performedby the programmable logic controller. The programmable logic controlleris changed to a safe operating state in the event of a discrepancy inone of the comparisons.

The method in accordance with the invention ensures that the applicationprogram in the main memory of the programmable logic controllercorresponds exactly to the application program determined duringcreation (programming). The practice of reading back the signaturestored in the programmable logic controller and the comparison with thesignature stored as a desired value detect the error that occurs when nodata at all are transmitted to the programmable logic controller(neither a new application program nor a copy of the desired value ofthe signature) but rather an “old” application program with the matchingsignature is retained in the programmable logic controller. In such acase, it would otherwise be possible to start the programmable logiccontroller with an “undesirable” program.

The object is also achieved by a programmable logic controller for usein a safety-oriented application, where the programmable logiccontroller is configured to perform one of the abovementioned methods,and is equipped with a management entity for determining an actual valueof a signature of the application program in the main memory of theprogrammable logic controller and with a comparison device for comparingthe determined actual value with a second signature which is stored as adesired value. The programmable logic controller is also set up suchthat a safe operating state is activated in the event of a negativeresult of the comparison. Such a programmable logic controller makes itpossible to perform the abovementioned method, with the result that theadvantages correlated therewith can be achieved.

An emergency stop of the programmable logic controller, for example, canbe strived for as the safe operating state, where the electrical outputsof the programmable logic controller are able to be changed to statespredefined for this purpose in one advantageous embodiment.

The determination of the signature (actual value) and the comparisonwith the desired value are advantageously performed after the programhas been loaded into the main memory, i.e., before the program isstarted for the first time, with the result that execution of theerroneous application program can be prevented from the outset in theevent of an error. In one alternative embodiment, all program modulesthat are loaded into the main memory are used to create the signature(actual value), with the result that there is no need to check theentire content of the main memory if the continuous, dynamic creation ofthe signature is started after each restart of the programmable logiccontroller or “overall reset” of the main memory.

In addition, the signature (actual value) determined can also betransmitted to the external component, for example, an engineeringsystem, where a further comparison with a signature stored in theexternal component as a desired value or the copy of the signature isperformed, operation of the application program being enabled only inthe event of a positive comparison, for example, by transmitting anenable message to the programmable logic controller. The comparisoncarried out by the programmable logic controller can thus be checked orsupplemented.

The signature used as a desired value or the signatures used as thefirst and second desired values is/are advantageously determined andstored while creating the application program, a check value, forexample, Cyclic Redundancy Check (CRC) value, a hash value, a checksumor a “fingerprint”, which is characteristic of the content of therespective functional modules, program routines etc. advantageouslybeing formed instead of a program identification which is primarilybased on function and file names and their version numbers. Here, thecheck values or signatures of the individual program parts, functionalmodules or the like can advantageously be combined or calculated withone another to form a total value, for example by means of an XORfunction (XOR=exclusive OR function at the bit level). It is thuspossible to reliably detect content-related errors and structuralfaults, the structural faults being able to be detected, in particular,even when the order of the individual functional blocks and programmodules influences the signature value.

The presence of unwanted program modules or program fragments in themain memory can be reliably detected if the signature used as the actualvalue is formed from all program modules (“code sequences”) present inthe main memory and is compared with the desired value of the signaturein the load memory when the controller is started.

The present method also makes it possible to determine subsequentchanges or corruption of the content of the main memory or of that mainmemory area in which the executable application program is stored byrepeatedly redetermining the actual value of the signature duringongoing operation of the programmable logic controller and comparing theactual value again with the desired value or values again. Such repeatedexecution can also occur, for example, in breaks or in those operatingcycles in which the microprocessor of the programmable logic controlleris not completely used by the application program alone.

A creation system or a development system that was used to create theapplication program and thus also to create the desired value of thesignature is primarily possible as the external component used to carryout the second comparison. However, the functionality that performs the“external” comparison can also be moved to another component, such as asafety server that manages the order of the signatures of allsafety-oriented programs of an automation system. In particular, a“start-up server” comes into consideration for this purpose, such aserver being able to supply many or all of the programmable logiccontrollers of an automation arrangement with application programs.

Other objects and features of the present invention will become apparentfrom the following detailed description considered in conjunction withthe accompanying drawings. It is to be understood, however, that thedrawings are designed solely for purposes of illustration and not as adefinition of the limits of the invention, for which reference should bemade to the appended claims. It should be further understood that thedrawings are not necessarily drawn to scale and that, unless otherwiseindicated, they are merely intended to conceptually illustrate thestructures and procedures described herein.

BRIEF DESCRIPTION OF THE DRAWINGS

One exemplary embodiment of the method according to the invention isexplained below using the drawing. The exemplary embodiment issimultaneously used to explain a programmable logic controller accordingto the invention, in which:

FIG. 1 shows a schematic illustration of those components of aconventional programmable logic controller and of a creationsystem/engineering system for performing the method in accordance withthe invention;

FIG. 2 shows a schematic block diagram of an arrangement which is set upto perform the method in accordance with the invention; and

FIG. 3 is a flow chart of the method in accordance with an embodiment ofthe invention.

DETAILED DESCRIPTION OF THE PRESENTLY PREFERRED EMBODIMENTS

FIG. 1 schematically shows an arrangement consisting of a developmentsystem ES (also called “creation system”, “programming system” or“engineering system”) and a programmable logic controller SPS which arelinked to one another via a data link (not illustrated). Thisarrangement is intended to be used to explain a method in accordancewith the prior art. In this case, it is assumed that an applicationprogram consisting of a multiplicity of program modules F-FBx, F-DBx,F-FCx (often also referred to as “functions”, “routines”, “functionalblocks” or the like) has been created. This application program isstored in a memory BO (module folder) in the development system ES.After this application program has been completed, the developmentsystem ES creates and stores a signature SIG-S as a desired value usinga function E-SIG-S (creation of the signature desired value) which canbe executed there. Here, this signature SIG-S is a “programidentification”, i.e., it is a check value which has been created fromthe names and version names of the files of the application program orof the program modules F-FBx, F-DBx, F-FCx of the application program.In order to execute the application program on the failsafe programmablelogic controller SPS, the application program is transmitted to the loadmemory LS of the programmable logic controller SPS; the load memory LSmay be, for example, an exchangeable memory card (“flash” card or thelike), a hard disk or another mass memory.

In order to be able to execute the application program, it must betransmitted to the main memory AS. For this purpose, the objectmanagement means OV of the programmable logic controller SPS determinesinformation, for example, object names, function names, file names orversion numbers, relating to the application program or the objects,routines and program modules F-FBx, F-DBx, F-FCx that form theapplication program in the load memory LS and also transmits thisinformation to the development system ES. There, a function E-SIG-I(creation of the signature actual value), which may also be identical tothe function E-SIG-S in one advantageous refinement, creates the actualvalue of a signature SIG-I from this information. The desired valueSIG-S and the actual value SIG-I are then compared using a comparison V,where a positive acknowledgement message is transmitted to an objectmanagement device OV of the programmable logic controller SPS followinga match. Before, during or after this comparison, the programmable logiccontroller SPS executes a sequence of loading instructions or loadingregulations, which ensures that the main memory AS is completely erased,with the result that no fragments of previously executed applicationprograms remain there.

According to the loading regulations, the application program which hasbeen enabled using the positive acknowledgement message and the programmodules forming the application program are now loaded into the mainmemory AS and are executed, where the program is naturally preventedfrom being started in the event of a negative acknowledgement message.In such a case, outputs (not illustrated) of the programmable logiccontroller SPS are changed to a defined state or are switched off, forexample. Here, the “safe operating state” can be defined separately foreach programmable logic controller SPS or each application. The loadingregulations may also comprise operating instructions which ensure thatthe application program is transmitted to the main memory completely andcorrectly, for example by means of so-called “control reading”(“verify”).

For the exemplary embodiment of the prior art depicted in FIG. 1, asimple architecture which can be started using simple loadingregulations was chosen for reasons of clarity. In practice, more complexarchitectures which may differ considerably from one another dependingon the specific situation and require complex and often very differentloading regulations are generally used. Here, the execution of theincorrect loading regulations, i.e., the loading regulations that do notsuit the specific configuration, may lead to undesirable results whichadditionally are not necessarily detected.

The functions E-SIG-S and E-SIG-I and the device for performing thecomparison V may be combined in a software module PI (programidentification); a corresponding situation applies to the analogousfunctions E-SIG-S and E-SIG-I2 and the device for carrying out thecomparison V2 in FIG. 2 discussed below.

The method according to the invention is explained below using FIG. 2,in which case those components, devices and functions whose designationor reference symbol is already known from FIG. 1 are not describedagain.

In terms of the hardware, the architecture shown in FIG. 2 correspondsto the situation explained using FIG. 1 (prior art). Following thecreation of an application program that is again present in the memoryBO of the development system ES, a function E-SIG-S, in this case, alsogenerates a signature (desired value) using the application program orthe program modules F-FBx, F-DBx, F-FCx of the application program.However, a first copy SIG-S-1 of this signature is now stored in theprogrammable logic controller SPS, storage being able to be effectedeither together with the application program in the load memory LS orelse at a location (storage device) of the programmable logic controllerSPS that differs from the load memory LS. In addition, a second copySIG-S-2 is stored in a memory of the development system ES.

In the following explanation, it is assumed below that the applicationprogram is present in the load memory LS and the first copy of thesignature SIG-S-1 is stored in a second memory of the programmable logiccontroller SPS that differs from the load memory LS. This second memorymay advantageously be a smart card that was inserted, as a “start key”into a reader of the programmable logic controller SPS, with the resultthat the information stored there, in particular the first copy of thesignature SIG-S-1, can be read by an object management device OV. Inorder to prepare the program start, the object management device OVimplements loading regulations that result in the main memory AS beingerased, and in the application program and thus the program modules thenbeing transmitted from the load memory to the main memory AS, afterwhich the safety check is performed. The loading regulations may beadvantageously permanently stored in a memory of the programmable logiccontroller SPS.

The safety check involves calling a function E-SIG-I1, as a result ofwhich the SPS and the function E-SIG-I1 present there create a signature(program signature, CRC value or “fingerprint”) using the content of themain memory AS, this actual value being compared, by a comparison V1,with the signature SIG-S-1 stored as a desired value. Alternatively,each program block or the like, which is transmitted to the main memoryAS, can also contribute to forming the signature, with the result that“screening” of the main memory is remissible and is replaced with thesuccessive checking of the program modules that have been loaded anderased (unloaded) in the sense of “flow control”.

If the comparison V1 is positive, execution of the application programin the main memory AS is enabled. In the event of a negative comparison,the programmable logic controller SPS is changed to a safe operatingstate which has already been explained using the prior art (FIG. 1). Thecomparison results can be evaluated by a routine of the applicationprogram itself. Here, the application program should be configured suchthat this routine is executed before safety-critical instructions areperformed. Alternatively, such tasks could also be performed by“firmware”.

Furthermore, a second comparison V2 is performed before the applicationprogram is started, i.e., before, during or after performing the firstcomparison V1, for which purpose information is transmitted from theprogrammable logic controller SPS to the development system ES. Thisinformation includes that copy of the signature (desired value) SIG-S-1which is stored by the programmable logic controller and is compared, bya comparison V2, with a second copy SIG-S-2 (second copy of the desiredvalue) stored by the development system ES. In the event of a positivecomparison, a corresponding positive acknowledgement message is sent tothe programmable logic controller SPS, this message, together with thepositive result of the first comparison V1, enabling the applicationprogram present in the main memory AS, as a result of which programexecution can start. It goes without saying that, in the event of anegative second comparison V2, a negative acknowledgement message issent to the programmable logic controller SPS, as a result of which thesafe operating state which has already been described is initiated.

In one advantageous embodiment, the signature (“actual value”) which hasalready been generated by the function E-SIG-I1 is additionallytransmitted to the development system ES or to another externalcomponent, with the result that said signature can be directly compared,by a further second comparison V2, with the second copy SIG-S-2 storedthere.

Whereas the method in accordance with to the invention can be used toensure that the application program has been correctly transmitted tothe main memory AS and the necessary loading regulations have also beensuccessfully and correctly applied without having to know or check thespecific architecture and the specific loading regulations, it canfurthermore also be ensured that the “correct” application program forthe present situation is also present in the load memory LS, with theresult that it is possible to prevent operation of the programmablelogic controller SPS with an application program which, although alsovalid in principle, is intended for another application.

FIG. 3 is a flowchart of a method for verifying an application programin a failsafe programmable logic controller, where the applicationprogram consists of a plurality of program modules transmitted from aload memory to a main memory. The method comprises forming, as a desiredvalue, a signature using either the application program or the pluralityof the program modules when creating the application program, asindicated in step 310. Here, a first copy of the formed signature istransmitted to the failsafe programmable logic controller and is storedin the failsafe programmable logic controller, and a second copy of theformed signature is stored in an external component.

Next, the first copy of the formed signature is transmitted to theexternal component and the transmitted first copy of the formedsignature is compared with the second copy of the formed signature by asecond comparison after the application program and/or the first copy ofthe formed signature is transmitted to the failsafe programmable logiccontroller, as indicated in step 320.

A second signature is now determined as an actual value from either theapplication program in the main memory or the plurality of the programmodules transmitted to the main memory by a management entity of thefailsafe programmable logic controller, as indicated in step 330.

Next, the determined second signature is compared with the first copy ofthe formed signature by a first comparison of the programmable logiccontroller, as indicated in step 340.

The programmable logic controller is then changed to a safe operatingstate in an event of a discrepancy in the first comparison and/or adiscrepancy in the second comparison, as indicated in step 350.

Thus, while there have shown and described and pointed out fundamentalnovel features of the invention as applied to a preferred embodimentthereof, it will be understood that various omissions and substitutionsand changes in the form and details of the devices illustrated, and intheir operation, may be made by those skilled in the art withoutdeparting from the spirit of the invention. For example, it is expresslyintended that all combinations of those elements and/or method stepswhich perform substantially the same function in substantially the sameway to achieve the same results are within the scope of the invention.Moreover, it should be recognized that structures and/or elements and/ormethod steps shown and/or described in connection with any disclosedform or embodiment of the invention may be incorporated in any otherdisclosed or described or suggested form or embodiment as a generalmatter of design choice. It is the intention, therefore, to be limitedonly as indicated by the scope of the claims appended hereto.

What is claimed is:
 1. A method for verifying an application program ina failsafe programmable logic controller, the application programconsisting of a plurality of program modules transmitted from a loadmemory to a main memory, the method comprising: forming, as a desiredvalue, a signature using one of the application program and theplurality of the program modules when creating the application program,a first copy of the formed signature being transmitted to the failsafeprogrammable logic controller and being stored in the failsafeprogrammable logic controller, and a second copy of the formed signaturebeing stored in an external component; transmitting the first copy ofthe formed signature to the external component and comparing thetransmitted first copy of the formed signature with the second copy ofthe formed signature by a second comparison after at least one of theapplication program and the first copy of the formed signature istransmitted to the failsafe programmable logic controller; determining,as an actual value, a second signature from one of the applicationprogram in the main memory and the plurality of the program modulestransmitted to the main memory by a management entity of the failsafeprogrammable logic controller; comparing the determined second signaturewith the first copy of the formed signature by a first comparison of theprogrammable logic controller; and changing the programmable logiccontroller to a safe operating state in an event of at least one of adiscrepancy in the first comparison and a discrepancy in the secondcomparison; wherein the second signature determined as the actual valueis transmitted to the external component, a device of the externalcomponent performing a further comparison with the second copy of thesignature stored in the device as the desired value, operation of theapplication program in the programmable logic controller being enabledin an event of a positive result of the further comparison.
 2. Themethod as claimed in patent claim 1, wherein execution of theapplication program in the main memory is prevented or the applicationprogram is stopped to change the programmable logic controller to thesafe operating state.
 3. The method as claimed in claim 1, wherein thedetermination of the signature used as the actual value and the firstcomparison with the second signature are performed before theapplication program is started.
 4. The method as claimed in claim 1,wherein one of the signature and the first and second copies of theformed signatures used as desired values are calculated when creatingthe application program.
 5. The method as claimed in claim 1, whereinthe first and second copy of the formed signatures used as the actualvalue and as the desired value are each formed from one of propertiesand signatures of individual program modules of the plurality of programmodules.
 6. The method as claimed in claim 1, wherein the secondsignature used as the actual value is determined from all programmodules of the plurality of program modules one of in the main memoryand transmitted to the main memory during a loading process.
 7. Themethod as claimed in claim 1, wherein verification by determining theactual value of the signature and by comparing the signature with thefirst copy of the formed signature stored as the desired value isrepeatedly performed during operation of the programmable logiccontroller.
 8. The method as claimed in claim 1, wherein the externalcomponent comprises one of a development system and an engineeringsystem for creating the application program.
 9. The method as claimed inclaim 1, wherein the external component comprises one of a safety serverand a load server of an industrial automation.